On 17 December 2021, the Irish Data Protection Commission (“DPC”) published the final version of its guidance “Children Front and Centre: Fundamentals for a Child-Oriented Approach to Data Processing” (“the Fundamentals”). The Fundamentals set out principles and recommendations for companies to follow when processing children’s data in Ireland. The Fundamentals seek to enhance the level of protection afforded to children, both online and offline.
Background
The Fundamentals follows a three year working progress, during which regulatory focus and enforcement relating to children’s privacy has been ramping up. The process involved three separate stakeholder consultations. In 2018, a two-streamed public consultation was launched. The “first stream” sought the views of adult stakeholders including parents, educators, children’s rights organisations and the industry, while in the “second stream” the DPC engaged directly with children.
In December 2020, the DPC published a draft version of the Fundamentals and ran a final public consultation on the document between 18 December 2020 and 31 March 2021. The DPC published a report on the submissions received, in response to this public consultation in November 2021, along with the DPC’s responses to the feedback.
Who do the Fundamentals apply to?
The Fundamentals apply to all organisations offering services “directed at, intended for or likely to be accessed by children”. The Fundamentals, therefore, do not just apply to online services but to offline services also (including educational providers, sports/social clubs and communities, and health/social support providers).
For the purposes of the Fundamentals, a child is described as somebody under the age of eighteen (18). Further, the term relating to the relevant services which are “likely to be accessed by children” simply means that the services are more likely than not, on balance, to be access by children. The DPC, however, clarifies that the Fundamentals cover services that a significant number of children are, in reality, using (as opposed to any service that is offered online), even if the service in question was not primarily intended for children or originally designed with them in mind.
The fourteen Fundamentals
The Fundamentals set out 14 core principles to enhance protections for children in the processing of their personal data. They are described as the “baseline expectations” of the DPC:
- Floor of protection: The Fundamentals provide organisations a choice to either apply the requirements holistically, so that all users (irrespective of whether they are children) benefit from the increased level of protection, or take a risk-based approach to verifying the age of their users so that all child users are awarded enhanced protections.
- Clear-cut consent: When a child has given consent for their data to be processed, that consent must be freely given, specific, informed and unambiguous, made by way of a clear statement or affirmative action.
- Zero interference: Online service providers processing children’s data should ensure that the pursuit of their legitimate interests do not negatively impact the best interests of the child.
- Know your audience: Online service providers should take steps to identify their users and ensure that services directed at, intended for or likely to be accessed by children have child-specific data protection measures in place.
- Information in every instance: Children are entitled to receive information about the processing of their own personal data irrespective of the legal basis relied on and even if a parent or guardian consented to the processing on their behalf.
- Child-oriented transparency: Privacy information must be provided in a concise, transparent, intelligible and accessible way, using clear and plain language that is comprehensible and suited to the age of the child. As well as considering the age appropriateness of the language itself, children may require information in different formats and at different times in the user journey (e.g. just-in-time notice, and instant chat functions) in order to fulfil this requirement.
- Let children have their say: Children are data subjects in their own right and have rights in relation to their personal data at any age. The DPC does not set a general age threshold for children to exercise their rights. They may do so at any time, as long as they have the capacity and it is in their best interests. Age, maturity or capacity should not prevent this. It is for an organisation to decide how it is most appropriate to respond to a request to exercise the data subject rights of a child.
- Consent does not change childhood: Consent obtained from children or responsible adults is not a justification to treat children as if they were adults.
- Your platform, your responsibility: Companies providing or selling services through digital and online technologies pose particular risks to children. The Fundamentals stress that a higher burden apply to technology and internet companies to verify age and consent where this is relied upon. The DPC recognises that there is “no one-size-fits-all solution” to the issue of age verification as the appropriateness of mechanisms will depend on certain factors including the relevant services and the sensitivity of the data.
- Do not shut out child users or downgrade their experience: If your service is likely to be accessed by children, you cannot bypass your obligations by shutting them out or depriving them of a rich service experience.
- Minimum user ages are not an excuse: Theoretical user age thresholds for accessing services don’t displace the obligations of organisations to comply with their obligations relating to children’s data. Where an age threshold is in place, companies should take steps to ensure that age verification mechanisms are effective at preventing children below that age from accessing the service. If it cannot prevent this, the company should implement appropriate measures.
- A precautionary approach to profiling: Online service providers should not profile children or carry out automated decision making in relation to children, or use their personal data, for marketing or advertising purposes, unless the company can clearly demonstrate how and why it is in the best interests of the child to do so.
- Do a DPIA: Online service providers should undertake data protection impact assessments (“DPIA”) to minimise risks to children. The principle of the best interests of the child must be a key criterion in any DPIA and must prevail over the commercial interests of an organisation.
- Bake it in: Online service providers that routinely process children’s personal data should, by design and by default, have a consistently high level of data protection which is “baked in” across their services. This means that data protection measures should be built into the architecture and functioning of a product or service from the very start of the design process and the strictest privacy settings will need to automatically apply to a product or service.
Data protection by design and default
The Fundamentals contain examples of data protection by design and default measures. Examples include:
- Default privacy settings: Ensure the strictest privacy settings apply by default. For example, where there is an option to make any personal data publicly available, this is not to be the default setting. Rather, the user has to proactively take steps to make their data public.
- User choice: With regards to privacy settings, ensure children have meaningful and clear choice, control and flexibility, especially where the processing operations pose greater levels of risk.
- Sharing and visibility: Do not systematically share a child’s personal data with third parties without clear parental knowledge and control. Organisations should build in parental reminders, where appropriate.
- Nudge techniques: Avoid the use of nudge techniques that encourage or incentivise children to provide unnecessary information or to engage in privacy disrupting actions.
- Parental dashboard: Where appropriate, provide parents with an overall view of activity and settings that their child has available to them. Child accounts should have available information on the functionality of such dashboards.
Comparison with the UK ICO Age Appropriate Design Code
The Fundamentals follow similar guidance issued by the UK Information Commissioner’s Office (“ICO”) in 2020, the UK Age Appropriate Design Code (“AADC”). Although the DPC considers the Fundamentals to have a broader focus than the AADC, there is consistency between the two guidance frameworks. This is demonstrated in both guidance frameworks by: the underpinning principle that the processing is required to be in the best interests of the child; the identification of a child as somebody under the age of eighteen (18); the focus on providing age appropriate transparency information; restrictions with regards to profiling; the emphasis on DPIAs and the focus on design and default settings. There are, however, a number of differences between the Fundamentals and the AADC, and some of the key differences include:
- Immediate Implementation. The AADC included a grace period for organisations to prepare for compliance prior to its application. The Fundamentals do not include a grace period and therefore require compliance by organisations from the date of publication, and the DPC has made clear that the Fundamentals now form the basis for the DPC’s approach to supervision, regulation and enforcement in the area of processing children’s personal data.
- Application to Online and Offline Services. The AADC applies to online services only, while the Fundamentals apply to both online and offline services.
- Detail of Information Provided. The AADC includes recommendations of the types and detail of information to be provided to different age groups for transparency purposes. The Fundamentals emphasise the need for transparency but do not include any recommendations.
- Children Engagement. The Fundamentals provide that children should be able to raise questions with organisations directly (e.g. via instant chat or a privacy dashboard) regarding the transparency of information they receive. The AADC does not encourage this level of engagement with children.
- Prohibition of Child Walls. The Fundamentals provide that if a service is directed to or likely to be used by children, an organisation cannot bypass its obligations by shutting out children or depriving them of a rich user experience. The AADC does not address the possibility of child walls.
- Responsibility for Age and Consent Verification. The Fundamentals indicate a higher burden applies to technology and internet organisations (i.e. whose business models are based on deployment of digital and online technologies) in their efforts to both verify age and verify that consent has been provided. The AADC is silent on this point.
Conclusion
The DPC announced that it is determined to drive transformation in how the personal data of children is handled, a statement which is already being confirmed by its ongoing investigations against Facebook (Instagram) and TikTok. The DPC is treating children’s privacy as an enforcement priority, and the recently published Fundamentals indicate it will continue to do so. As there is no transitional or grace period afforded following publication of the Fundamentals, these Fundamentals apply now, and companies offering services in Ireland must urgently consider if they fall within the scope of the Fundamentals, review any processing of children’s personal data, assess current practices and, where required, implement necessary measures to protect the privacy of child users in alignment with the Fundamentals. Companies who have already taken certain steps to comply with the AADC, will likely find that this ensures a certain level of compliance with the Fundamentals; however additional steps will still need to be taken to address additional points outlined in the Fundamentals.